Hello John, this is Joe reaching out to you from Bluehost. We did get, uhh, some alerts that your website has malware on it! Very important you give me a call back my number is 855-434-7316 and my direct extension for you is 29032.
Thank you for contacting support. Please rate your support representative and the following areas from 1 to 5, 5 being the best, by pressing the numbers on the keypad. My representative was knowledgeable…-Voicemail from 855-434-7316
At first, it seems like a pretty official warning from your web host’s technical support team. Malware? Now the adrenaline is flowing. You panic, you pick up the phone, and the next thing you know the support line is asking for your credit card number and payment authorization.
But how did we get here?
This particular case may be marketing agreements gone awry, but it can also be an indicator of a spear phishing attack. The first clue here was that the phone number: 855-434-7316 isn’t associated with Bluehost. In fact, a quick Google search of the number brings up several negative reports from users who have marked it as a telemarketing scam.
What is spear phishing?
Spear phishing is a cybersecurity threat that targets specific individuals. Whether they’re scammers or marketers, they’re trying to build a complete profile so they can gain access to user accounts or sell that information to the next party. The key that differentiates phishing from spear phishing is that with spear phishing, the attackers already have some information about their target.
In this case, the caller knew:
- My Name
- My Phone number
- One of the companies I have web hosting with
The more information the attackers have about their target, the more official they can make their phishing attempt sound. This one sounds pretty official, too! They are calling from a toll free number, they claim to be in a position of authority, they know some information about me, and they even have an extension!
The real threat
Some users have reported calling back for messages like the one above just to be met by someone claiming to be a security officer. The supposed security officer starts asking for passwords and mother’s maiden name “as a security verification.”
In reality, those attackers are collecting information about user accounts and personal security questions so that they can install the very malware they’re claiming to protect people from.
And sometimes it’s just marketing
Based on the responses at https://www.shouldianswer.com/phone-number/8554347316 this particular solicitation was likely a telemarketing call for expensive and unnecessary malware scanning services. I’m not calling back to find out, because I’m not using a third party vendor to defend those sites from malware.
Sure enough, there was also no email or notification from Bluehost indicating that they had actually found malware. A quick review of the file system also showed nothing out of the ordinary, so there wasn’t really any urgency to follow up. Even if I’m not interested in buying anything, the representative could continue to attempt to draw out information so that they can add details to the profile of me that they’re building.
Chances are, this was just a telemarketing call with a deceptive pitch. They don’t think of themselves as “spear phishing,” because they call it “developing leads.” Either way, it represents a disclosure of more information than is required to run my website operations, so it is a security risk to be mitigated as much as possible.